MBR/Boot sector wiping virus/trojan?

I've had a machine come back to me multiple times now with the MBR/boot sector trashed. It crashes while trying to load the MBR/boot sector without a warning. Basically just gives a black screen rather than complaining about media or anything else. This last time, the customer only had the machine for about 2 weeks before it happened again. All the AV and anti-spyware was up to date, but I suspect he must be getting into something bad.

It doesn't appear to be hardware related. The first time it happened I went ahead and replaced both the hard drive and controller (as an upgrade in speed, size, and noise level!) since he didn't have anything critical on the old drive. I can run the computer for days here and nothing bad ever happens.

So, is there a common virus/trojan floating around out there that's doing this right now? If so, is there a published repair procedure?

Brian Knoblauch

Posted 2010-12-18T14:16:00.783

Reputation: 4 313

Make and model of PC? – Moab – 2010-12-19T05:32:34.797

It's a whitebox w/ AMD Hammer. Is currently at 2GB RAM, Single Seagate 73GB U160 SCSI on Adaptec 2100S RAID card. ASUS mobo. Originally had 512MB RAM and dual Seagate Ultra SCSI 9GB drives on an Adaptec 2940UW controller. – Brian Knoblauch – 2010-12-20T12:32:18.077

Answers

We finally narrowed it down to a supposed video that he received in e-mail. It fails to open, but after the next shutdown, the computer won't start... Moral of the story is never open attachments sent in e-mail, no matter who it appears has sent them. :-)

Brian Knoblauch

Posted 2010-12-18T14:16:00.783

Reputation: 4 313

Teaching people to walk around landmines is less efficient than having the computer do it with sandboxing like DropMyRights provides. How did you repair the MBR? – Cees Timmerman – 2013-11-12T07:38:06.673

I didn't bother to repair the MBR. He only uses it for web surfing and checking e-mail, so data loss isn't a concern. I wiped the drive with the Adaptec firmware then built new partitions and reinstalled. I've never heard of "DropMyRights" before. I'll have to go check it out. – Brian Knoblauch – 2013-11-12T14:50:39.857

I don't think MBR/Boot sector trojan/viruses are common nowadays.

One thing you need to rule out is user doing something wrong - is your service charging him? You can consider adding a password onto the BIOS and setting the 'MBR readonly' flag there (most bios did have this support i think).

Before commiting the problem to software, though, you need to rule out possible controller problem... sometimes weird controller problem can lead to first sector corruption.

bubu

Posted 2010-12-18T14:16:00.783

Reputation: 9 283

I did not see the boot sector virus protection option in this BIOS. This has happened on 2 different controllers, with 2 different hard drives now. The first controller was in there for a couple years. User does report that he downloaded one of those "E-Cards" (probably a trojan) right before the first failure. He couldn't come up with anything special about the second time. – Brian Knoblauch – 2010-12-20T12:34:33.813

"I don't think MBR/Boot sector trojan/viruses are common nowadays." They have become very popular in Windows PCs these days. – Moab – 2012-04-20T16:03:40.080